<!DOCTYPE html>
<html>

  <head>
    <meta charset='utf-8' />
    <meta http-equiv="X-UA-Compatible" content="chrome=1" />
    <meta name="description" content="CAS - Single Sign-On for the Web" />
    
    
    <link rel="stylesheet" type="text/css" media="screen"
          href="../../stylesheets/v40x-stylesheet.css">
    <link rel="stylesheet" type="text/css" media="print"
          href="../../stylesheets/print.css">
    <title>CAS - CAS SAML Protocol</title>
    <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script>
    <script src="../../javascripts/URI.js"></script>
    <script src="../../javascripts/v40x-main.js"></script>
  </head>

  <body>
    <!-- HEADER -->
    <div id="header_wrap" class="outer">
        <header class="inner">
          <a id="forkme_banner" href="https://github.com/Jasig/cas">View on GitHub</a>
          <div id="project_title">
            <a class="undecorated" href="../../index.html">
              <img class="undecorated" src="../../images/cas_logo.png"/>
            </a>
          </div>
          <h2 id="project_tagline">Single Sign-On for the Web</h2>
        </header>
    </div>

    <!-- NAVBAR -->    
    <div id="navbar_wrap" class="outer">
      <header id="navbar_content" class="inner">
        <div class="navlink">
  <a href="../../index.html">Home</a>
</div>
<div class="navlink">
  <a href="https://github.com/Jasig/cas/releases">Downloads</a>
</div>
<div class="navlink">
  <a href="https://www.google.com/cse/publicurl?cx=017040929083740828958:sqr2hwvrxmg">Search</a>
</div>
<div class="navlink">
  <a href="../../Support.html">Support</a>
</div>
<div class="navlink">
  <a href="../../Mailing-Lists.html">Mailing Lists</a>
</div>
<div class="navlink">
  <a href="../../Older-Versions.html">Older Versions</a>
</div>

        </header>
    </div>

      <!-- SIDEBAR -->
      <div id="sidebar_wrap" class="outer">
        <header id="sidebar_content" class="inner">
          <span id="sidebartoc"></span>
        </header >
      </div>
      
      <!-- PAGE TABLE OF CONTENTS -->
      <div id="table_contents" class="outer">
        <header id="sidebar_content" class="inner">
          <span id="tableOfContents"></span>
        </header>
      </div>
      
      <!-- MAIN CONTENT -->
      <div id="main_content_wrap" class="outer">
        <section id="main_content" class="inner">
          <h1 id="saml-protocol">SAML Protocol</h1>
<p>CAS has support for versions 1.1 and 2 of the SAML protocol to a specific extent. This document deals with CAS-specific concerns.</p>

<p>Support is enabled by including the following dependency in the Maven WAR overlay:</p>

<pre><code>&lt;dependency&gt;
  &lt;groupId&gt;org.jasig.cas&lt;/groupId&gt;
  &lt;artifactId&gt;cas-server-support-saml&lt;/artifactId&gt;
  &lt;version&gt;${cas.version}&lt;/version&gt;
&lt;/dependency&gt;
</code></pre>

<h1 id="saml-11">SAML 1.1</h1>
<p>CAS supports the <a href="http://en.wikipedia.org/wiki/SAML_1.1">standardized SAML 1.1 protocol</a> primarily to:</p>

<ul>
  <li>Support a method of <a href="../integration/Attribute-Release.html">attribute release</a></li>
  <li><a href="../installation/Logout-Single-Signout.html">Single Logout</a></li>
</ul>

<p>A SAML 1.1 ticket validation response is obtained by validating a ticket via POST at the <code>/samlValidate URI</code>.</p>

<h2 id="sample-request">Sample Request</h2>

<div class="highlight"><pre><code class="xml">POST /cas/samlValidate?ticket=
Host: cas.example.com
Content-Length: 491
Content-Type: text/xml
 
<span class="nt">&lt;SOAP-ENV:Envelope</span> <span class="na">xmlns:SOAP-ENV=</span><span class="s">&quot;http://schemas.xmlsoap.org/soap/envelope/&quot;</span><span class="nt">&gt;</span>
  <span class="nt">&lt;SOAP-ENV:Header/&gt;</span>
  <span class="nt">&lt;SOAP-ENV:Body&gt;</span>
    <span class="nt">&lt;samlp:Request</span> <span class="na">xmlns:samlp=</span><span class="s">&quot;urn:oasis:names:tc:SAML:1.0:protocol&quot;</span> <span class="na">MajorVersion=</span><span class="s">&quot;1&quot;</span>
      <span class="na">MinorVersion=</span><span class="s">&quot;1&quot;</span> <span class="na">RequestID=</span><span class="s">&quot;_192.168.16.51.1024506224022&quot;</span>
      <span class="na">IssueInstant=</span><span class="s">&quot;2002-06-19T17:03:44.022Z&quot;</span><span class="nt">&gt;</span>
      <span class="nt">&lt;samlp:AssertionArtifact&gt;</span>
        ST-1-u4hrm3td92cLxpCvrjylcas.example.com
      <span class="nt">&lt;/samlp:AssertionArtifact&gt;</span>
    <span class="nt">&lt;/samlp:Request&gt;</span>
  <span class="nt">&lt;/SOAP-ENV:Body&gt;</span>
<span class="nt">&lt;/SOAP-ENV:Envelope&gt;</span>
</code></pre></div>

<h2 id="sample-response">Sample Response</h2>

<div class="highlight"><pre><code class="xml"><span class="nt">&lt;SOAP-ENV:Envelope</span> <span class="na">xmlns:SOAP-ENV=</span><span class="s">&quot;http://schemas.xmlsoap.org/soap/envelope/&quot;</span><span class="nt">&gt;</span>
  <span class="nt">&lt;SOAP-ENV:Header</span> <span class="nt">/&gt;</span>
  <span class="nt">&lt;SOAP-ENV:Body&gt;</span>
    <span class="nt">&lt;Response</span> <span class="na">xmlns=</span><span class="s">&quot;urn:oasis:names:tc:SAML:1.0:protocol&quot;</span> <span class="na">xmlns:saml=</span><span class="s">&quot;urn:oasis:names:tc:SAML:1.0:assertion&quot;</span>
    <span class="na">xmlns:samlp=</span><span class="s">&quot;urn:oasis:names:tc:SAML:1.0:protocol&quot;</span> <span class="na">xmlns:xsd=</span><span class="s">&quot;http://www.w3.org/2001/XMLSchema&quot;</span>
    <span class="na">xmlns:xsi=</span><span class="s">&quot;http://www.w3.org/2001/XMLSchema-instance&quot;</span> <span class="na">IssueInstant=</span><span class="s">&quot;2008-12-10T14:12:14.817Z&quot;</span>
    <span class="na">MajorVersion=</span><span class="s">&quot;1&quot;</span> <span class="na">MinorVersion=</span><span class="s">&quot;1&quot;</span> <span class="na">Recipient=</span><span class="s">&quot;https://eiger.iad.vt.edu/dat/home.do&quot;</span>
    <span class="na">ResponseID=</span><span class="s">&quot;_5c94b5431c540365e5a70b2874b75996&quot;</span><span class="nt">&gt;</span>
      <span class="nt">&lt;Status&gt;</span>
        <span class="nt">&lt;StatusCode</span> <span class="na">Value=</span><span class="s">&quot;samlp:Success&quot;</span><span class="nt">&gt;</span>
        <span class="nt">&lt;/StatusCode&gt;</span>
      <span class="nt">&lt;/Status&gt;</span>
      <span class="nt">&lt;Assertion</span> <span class="na">xmlns=</span><span class="s">&quot;urn:oasis:names:tc:SAML:1.0:assertion&quot;</span> <span class="na">AssertionID=</span><span class="s">&quot;_e5c23ff7a3889e12fa01802a47331653&quot;</span>
      <span class="na">IssueInstant=</span><span class="s">&quot;2008-12-10T14:12:14.817Z&quot;</span> <span class="na">Issuer=</span><span class="s">&quot;localhost&quot;</span> <span class="na">MajorVersion=</span><span class="s">&quot;1&quot;</span>
      <span class="na">MinorVersion=</span><span class="s">&quot;1&quot;</span><span class="nt">&gt;</span>
        <span class="nt">&lt;Conditions</span> <span class="na">NotBefore=</span><span class="s">&quot;2008-12-10T14:12:14.817Z&quot;</span> <span class="na">NotOnOrAfter=</span><span class="s">&quot;2008-12-10T14:12:44.817Z&quot;</span><span class="nt">&gt;</span>
          <span class="nt">&lt;AudienceRestrictionCondition&gt;</span>
            <span class="nt">&lt;Audience&gt;</span>
              https://some-service.example.com/app/
            <span class="nt">&lt;/Audience&gt;</span>
          <span class="nt">&lt;/AudienceRestrictionCondition&gt;</span>
        <span class="nt">&lt;/Conditions&gt;</span>
        <span class="nt">&lt;AttributeStatement&gt;</span>
          <span class="nt">&lt;Subject&gt;</span>
            <span class="nt">&lt;NameIdentifier&gt;</span>johnq<span class="nt">&lt;/NameIdentifier&gt;</span>
            <span class="nt">&lt;SubjectConfirmation&gt;</span>
              <span class="nt">&lt;ConfirmationMethod&gt;</span>
                urn:oasis:names:tc:SAML:1.0:cm:artifact
              <span class="nt">&lt;/ConfirmationMethod&gt;</span>
            <span class="nt">&lt;/SubjectConfirmation&gt;</span>
          <span class="nt">&lt;/Subject&gt;</span>
          <span class="nt">&lt;Attribute</span> <span class="na">AttributeName=</span><span class="s">&quot;uid&quot;</span> <span class="na">AttributeNamespace=</span><span class="s">&quot;http://www.ja-sig.org/products/cas/&quot;</span><span class="nt">&gt;</span>
            <span class="nt">&lt;AttributeValue&gt;</span>12345<span class="nt">&lt;/AttributeValue&gt;</span>
          <span class="nt">&lt;/Attribute&gt;</span>
          <span class="nt">&lt;Attribute</span> <span class="na">AttributeName=</span><span class="s">&quot;groupMembership&quot;</span> <span class="na">AttributeNamespace=</span><span class="s">&quot;http://www.ja-sig.org/products/cas/&quot;</span><span class="nt">&gt;</span>
            <span class="nt">&lt;AttributeValue&gt;</span>
              uugid=middleware.staff,ou=Groups,dc=vt,dc=edu
            <span class="nt">&lt;/AttributeValue&gt;</span>
          <span class="nt">&lt;/Attribute&gt;</span>
          <span class="nt">&lt;Attribute</span> <span class="na">AttributeName=</span><span class="s">&quot;eduPersonAffiliation&quot;</span> <span class="na">AttributeNamespace=</span><span class="s">&quot;http://www.ja-sig.org/products/cas/&quot;</span><span class="nt">&gt;</span>
            <span class="nt">&lt;AttributeValue&gt;</span>staff<span class="nt">&lt;/AttributeValue&gt;</span>
          <span class="nt">&lt;/Attribute&gt;</span>
          <span class="nt">&lt;Attribute</span> <span class="na">AttributeName=</span><span class="s">&quot;accountState&quot;</span> <span class="na">AttributeNamespace=</span><span class="s">&quot;http://www.ja-sig.org/products/cas/&quot;</span><span class="nt">&gt;</span>
            <span class="nt">&lt;AttributeValue&gt;</span>ACTIVE<span class="nt">&lt;/AttributeValue&gt;</span>
          <span class="nt">&lt;/Attribute&gt;</span>
        <span class="nt">&lt;/AttributeStatement&gt;</span>
        <span class="nt">&lt;AuthenticationStatement</span> <span class="na">AuthenticationInstant=</span><span class="s">&quot;2008-12-10T14:12:14.741Z&quot;</span>
        <span class="na">AuthenticationMethod=</span><span class="s">&quot;urn:oasis:names:tc:SAML:1.0:am:password&quot;</span><span class="nt">&gt;</span>
          <span class="nt">&lt;Subject&gt;</span>
            <span class="nt">&lt;NameIdentifier&gt;</span>johnq<span class="nt">&lt;/NameIdentifier&gt;</span>
            <span class="nt">&lt;SubjectConfirmation&gt;</span>
              <span class="nt">&lt;ConfirmationMethod&gt;</span>
                urn:oasis:names:tc:SAML:1.0:cm:artifact
              <span class="nt">&lt;/ConfirmationMethod&gt;</span>
            <span class="nt">&lt;/SubjectConfirmation&gt;</span>
          <span class="nt">&lt;/Subject&gt;</span>
        <span class="nt">&lt;/AuthenticationStatement&gt;</span>
      <span class="nt">&lt;/Assertion&gt;</span>
    <span class="nt">&lt;/Response&gt;</span>
  <span class="nt">&lt;/SOAP-ENV:Body&gt;</span>
<span class="nt">&lt;/SOAP-ENV:Envelope&gt;</span>
</code></pre></div>

<h2 id="configuration">Configuration</h2>

<p>In addition to the <code>cas-server-support-saml</code> module dependency, the following 5 steps are required to enabled the SAML 1.1 support.</p>

<h3 id="definitionmapping-of-samlvalidatecontroller">Definition/Mapping of <code>samlValidateController</code></h3>

<p>In <code>cas-servlet.xml</code>:</p>

<div class="highlight"><pre><code class="xml"><span class="nt">&lt;bean</span> <span class="na">id=</span><span class="s">&quot;samlValidateController&quot;</span> <span class="na">class=</span><span class="s">&quot;org.jasig.cas.web.ServiceValidateController&quot;</span>
  <span class="na">p:validationSpecificationClass=</span><span class="s">&quot;org.jasig.cas.validation.Cas20WithoutProxyingValidationSpecification&quot;</span>
  <span class="na">p:centralAuthenticationService-ref=</span><span class="s">&quot;centralAuthenticationService&quot;</span>
  <span class="na">p:proxyHandler-ref=</span><span class="s">&quot;proxy20Handler&quot;</span>
  <span class="na">p:argumentExtractor-ref=</span><span class="s">&quot;samlArgumentExtractor&quot;</span>
  <span class="na">p:successView=</span><span class="s">&quot;casSamlServiceSuccessView&quot;</span>
  <span class="na">p:failureView=</span><span class="s">&quot;casSamlServiceFailureView&quot;</span><span class="nt">/&gt;</span>
</code></pre></div>

<div class="highlight"><pre><code class="xml"><span class="nt">&lt;bean</span> <span class="na">id=</span><span class="s">&quot;handlerMappingC&quot;</span> <span class="na">class=</span><span class="s">&quot;org.springframework.web.servlet.handler.SimpleUrlHandlerMapping&quot;</span><span class="nt">&gt;</span>
  <span class="nt">&lt;property</span> <span class="na">name=</span><span class="s">&quot;mappings&quot;</span><span class="nt">&gt;</span>
    <span class="nt">&lt;props&gt;</span>
      ...
      <span class="nt">&lt;prop</span> <span class="na">key=</span><span class="s">&quot;/samlValidate&quot;</span><span class="nt">&gt;</span>samlValidateController<span class="nt">&lt;/prop&gt;</span>
      ...
</code></pre></div>

<h3 id="servlet-mapping-for-samlvalidate">Servlet mapping for <code>/samlValidate</code></h3>

<p>In the <code>web.xml</code> file:</p>

<div class="highlight"><pre><code class="xml"><span class="nt">&lt;servlet-mapping&gt;</span>
  <span class="nt">&lt;servlet-name&gt;</span>cas<span class="nt">&lt;/servlet-name&gt;</span>
  <span class="nt">&lt;url-pattern&gt;</span>/samlValidate<span class="nt">&lt;/url-pattern&gt;</span>
<span class="nt">&lt;/servlet-mapping&gt;</span>
</code></pre></div>

<h3 id="saml-argument-extractor">SAML Argument Extractor</h3>

<p>In the <code>argumentExtractorsConfiguration.xml</code> file:</p>

<div class="highlight"><pre><code class="xml"><span class="nt">&lt;bean</span> <span class="na">id=</span><span class="s">&quot;samlArgumentExtractor&quot;</span> <span class="na">class=</span><span class="s">&quot;org.jasig.cas.support.saml.web.support.SamlArgumentExtractor&quot;</span> <span class="nt">/&gt;</span>

<span class="nt">&lt;util:list</span> <span class="na">id=</span><span class="s">&quot;argumentExtractors&quot;</span><span class="nt">&gt;</span>
  <span class="nt">&lt;ref</span> <span class="na">bean=</span><span class="s">&quot;casArgumentExtractor&quot;</span> <span class="nt">/&gt;</span>
  <span class="nt">&lt;ref</span> <span class="na">bean=</span><span class="s">&quot;samlArgumentExtractor&quot;</span> <span class="nt">/&gt;</span>
<span class="nt">&lt;/util:list&gt;</span>
</code></pre></div>

<h3 id="saml-id-generator">SAML ID Generator</h3>

<p>In the uniqueIdGenerators.xml file:</p>

<div class="highlight"><pre><code class="xml"><span class="nt">&lt;bean</span> <span class="na">id=</span><span class="s">&quot;samlServiceTicketUniqueIdGenerator&quot;</span> <span class="na">class=</span><span class="s">&quot;org.jasig.cas.support.saml.util.SamlCompliantUniqueTicketIdGenerator&quot;</span><span class="nt">&gt;</span>
  <span class="nt">&lt;constructor-arg</span> <span class="na">index=</span><span class="s">&quot;0&quot;</span> <span class="na">value=</span><span class="s">&quot;https://localhost:8443&quot;</span> <span class="nt">/&gt;</span>
<span class="nt">&lt;/bean&gt;</span>

<span class="nt">&lt;util:map</span> <span class="na">id=</span><span class="s">&quot;uniqueIdGeneratorsMap&quot;</span><span class="nt">&gt;</span>
  <span class="nt">&lt;entry</span>
    <span class="na">key=</span><span class="s">&quot;org.jasig.cas.authentication.principal.SimpleWebApplicationServiceImpl&quot;</span>
    <span class="na">value-ref=</span><span class="s">&quot;serviceTicketUniqueIdGenerator&quot;</span> <span class="nt">/&gt;</span>
  <span class="nt">&lt;entry</span>
    <span class="na">key=</span><span class="s">&quot;org.jasig.cas.support.saml.authentication.principal.SamlService&quot;</span>
    <span class="na">value-ref=</span><span class="s">&quot;samlServiceTicketUniqueIdGenerator&quot;</span> <span class="nt">/&gt;</span>
<span class="nt">&lt;/util:map&gt;</span>
</code></pre></div>

<h3 id="saml-views">SAML Views</h3>

<p>In the <code>cas-servlet.xml</code> file:</p>

<div class="highlight"><pre><code class="xml"><span class="nt">&lt;bean</span> <span class="na">id=</span><span class="s">&quot;viewResolver&quot;</span> <span class="na">class=</span><span class="s">&quot;org.springframework.web.servlet.view.ResourceBundleViewResolver&quot;</span> <span class="na">p:order=</span><span class="s">&quot;0&quot;</span><span class="nt">&gt;</span>
  <span class="nt">&lt;property</span> <span class="na">name=</span><span class="s">&quot;basenames&quot;</span><span class="nt">&gt;</span>
    <span class="nt">&lt;list&gt;</span>
      <span class="nt">&lt;value&gt;</span>${cas.viewResolver.basename}<span class="nt">&lt;/value&gt;</span>
      <span class="nt">&lt;value&gt;</span>protocol_views<span class="nt">&lt;/value&gt;</span>
      <span class="nt">&lt;value&gt;</span>saml_views<span class="nt">&lt;/value&gt;</span>
    <span class="nt">&lt;/list&gt;</span>
  <span class="nt">&lt;/property&gt;</span>
<span class="nt">&lt;/bean&gt;</span>
</code></pre></div>

<h1 id="saml-2-google-apps-integration">SAML 2 (Google Apps Integration)</h1>
<p>Google Apps utilizes SAML 2 to provide <a href="https://developers.google.com/google-apps/sso/saml_reference_implementation">an integration point for external authentication services</a>. CAS includes an <code>ArgumentExtractor</code> and accompanying <code>Service</code> to provide process and understand SAML 2 requests from Google.</p>

<div class="alert alert-warning"><strong>Usage Warning!</strong><p>Though Google Accounts integration is enabled through the use of SAML 2 AuthenticationRequests and Assertions, it may not work with any SAML 2 compliant application. </p></div>

<h2 id="configuration-1">Configuration</h2>

<h3 id="generate-dsarsa-keys">Generate DSA/RSA Keys</h3>
<p>The first step is to generate DSA/RSA public and private keys. These are used to sign and read the Assertions. After you’ve generated your keys, you will need to register the public key with Google. The keys will also need to be available to the CAS application but not publicly available over the Internet. It is recommended that you place the keys within the classpath (i.e. <code>WEB-INF/classes</code>) though any location accessible by the user running the web server instance and not served publicly to the Internet is acceptable. </p>

<div class="highlight"><pre><code class="bash">openssl genrsa -out private.key 1024
openssl rsa -pubout -in private.key -out public.key -inform PEM -outform DER
openssl pkcs8 -topk8 -inform PER -outform DER -nocrypt -in private.key -out private.p8
openssl req -new -x509 -key private.key -out x509.pem -days 365
</code></pre></div>

<p>The <code>public.key</code> and <code>private.p8</code> must be in the classpath. The <code>x509.pem</code> file should be uploaded into Google Apps.</p>

<h3 id="configure-cas-server">Configure CAS Server</h3>
<p>Google Accounts integration within CAS is enabled by simply adding an additional <code>ArgumentExtractor</code> to the list of <code>ArgumentExtractors</code>. You’ll need to modify the <code>WEB-INF/spring-configuration/argumentExtractorsConfiguration.xml</code>, and add the following:</p>

<div class="highlight"><pre><code class="xml"><span class="nt">&lt;bean</span> <span class="na">id=</span><span class="s">&quot;googleAccountsArgumentExtractor&quot;</span> 
      <span class="na">class=</span><span class="s">&quot;org.jasig.cas.support.saml.web.support.GoogleAccountsArgumentExtractor&quot;</span>
      <span class="na">p:privateKey-ref=</span><span class="s">&quot;privateKeyFactoryBean&quot;</span>
      <span class="na">p:publicKey-ref=</span><span class="s">&quot;publicKeyFactoryBean&quot;</span>
      <span class="na">p:alternateUsername</span><span class="s">&quot;mail&quot;</span>
      <span class="nt">/&gt;</span>

<span class="nt">&lt;util:list</span> <span class="na">id=</span><span class="s">&quot;argumentExtractors&quot;</span><span class="nt">&gt;</span>
	<span class="nt">&lt;ref</span> <span class="na">bean=</span><span class="s">&quot;casArgumentExtractor&quot;</span> <span class="nt">/&gt;</span>
	<span class="nt">&lt;ref</span> <span class="na">bean=</span><span class="s">&quot;samlArgumentExtractor&quot;</span> <span class="nt">/&gt;</span>
	<span class="nt">&lt;ref</span> <span class="na">bean=</span><span class="s">&quot;googleAccountsArgumentExtractor&quot;</span> <span class="nt">/&gt;</span>
<span class="nt">&lt;/util:list&gt;</span>

<span class="nt">&lt;bean</span> <span class="na">id=</span><span class="s">&quot;privateKeyFactoryBean&quot;</span> <span class="na">class=</span><span class="s">&quot;org.jasig.cas.util.PrivateKeyFactoryBean&quot;</span>
      <span class="na">p:location=</span><span class="s">&quot;classpath:private.p8&quot;</span>
      <span class="na">p:algorithm=</span><span class="s">&quot;RSA&quot;</span> <span class="nt">/&gt;</span>

<span class="nt">&lt;bean</span> <span class="na">id=</span><span class="s">&quot;publicKeyFactoryBean&quot;</span>	<span class="na">class=</span><span class="s">&quot;org.jasig.cas.util.PublicKeyFactoryBean&quot;</span>
      <span class="na">p:location=</span><span class="s">&quot;classpath:public.key&quot;</span>
      <span class="na">p:algorithm=</span><span class="s">&quot;RSA&quot;</span> <span class="nt">/&gt;</span>
</code></pre></div>

<p>
As an optional step, you can configure an <code>alternateUsername</code> to be send to Google in the SAML reply.
This <code>alternameUsername</code> can be mapped in XML to a CAS principal attribute.	
</p>

<p>Replace the <code>public.key</code> and <code>private.key</code> with the names of your key files. If you are using DSA instead of RSA, change the algorithm as appropriate.</p>

<p>You’ll also need to add a new generator in the <code>WEB-INF/spring-configuration/uniqueIdGenerators.xml</code> file:</p>

<div class="highlight"><pre><code class="xml"><span class="nt">&lt;util:map</span> <span class="na">id=</span><span class="s">&quot;uniqueIdGeneratorsMap&quot;</span><span class="nt">&gt;</span>
  <span class="nt">&lt;entry</span>
    <span class="na">key=</span><span class="s">&quot;org.jasig.cas.authentication.principal.SimpleWebApplicationServiceImpl&quot;</span>
    <span class="na">value-ref=</span><span class="s">&quot;serviceTicketUniqueIdGenerator&quot;</span> <span class="nt">/&gt;</span>
  <span class="nt">&lt;entry</span>
    <span class="na">key=</span><span class="s">&quot;org.jasig.cas.support.saml.authentication.principal.GoogleAccountsService&quot;</span>
    <span class="na">value-ref=</span><span class="s">&quot;serviceTicketUniqueIdGenerator&quot;</span> <span class="nt">/&gt;</span>
<span class="nt">&lt;/util:map&gt;</span>
</code></pre></div>

<h3 id="configure-google">Configure Google</h3>
<p>You’ll need to provide Google with the URL for your SAML-based SSO service, as well as the URL your users will be redirected to when they log out of a hosted Google application.</p>

<p>Use the following URLs when you are configuring for Google Apps</p>

<pre><code>Sign-in page URL: https://yourCasServer/login
Sign-out page URL: https://yourCasServer/logout
Change password URL: http://whateverServerYouWouldLike
</code></pre>

<h3 id="register-google-with-cas">Register Google with CAS</h3>

<pre><code>Name : Google Apps
Service URL : https://www.google.com/a/YourGoogleDomain/acs
</code></pre>

<h1 id="customizing-the-saml-artifact">Customizing the SAML Artifact</h1>
<p>When constructing an instance of the <code>SamlCompliantUniqueTicketIdGenerator</code> available at <code>cas-server-webapp/WEB-INF/spring-configuration/uniqueIdGenerators.xml</code>, you may set the <code>saml2compliant</code> property to “true” in order to generate SAML2 artifacts. Otherwise SAML1 compliant artifacts are generated.</p>

<div class="highlight"><pre><code class="xml"><span class="nt">&lt;bean</span> <span class="na">id=</span><span class="s">&quot;samlServiceTicketUniqueIdGenerator&quot;</span> <span class="na">class=</span><span class="s">&quot;org.jasig.cas.util.SamlCompliantUniqueTicketIdGenerator&quot;</span><span class="nt">&gt;</span>
    <span class="nt">&lt;constructor-arg</span> <span class="na">index=</span><span class="s">&quot;0&quot;</span> <span class="na">value=</span><span class="s">&quot;https://localhost:8443&quot;</span> <span class="nt">/&gt;</span>
    <span class="nt">&lt;property</span> <span class="na">name=</span><span class="s">&quot;saml2compliant&quot;</span> <span class="na">value=</span><span class="s">&quot;true&quot;</span> <span class="nt">/&gt;</span>
<span class="nt">&lt;/bean&gt;</span>
</code></pre></div>


        </section>
      </div>

    <!-- FOOTER  -->
    <div id="footer_wrap" class="outer">
      <footer class="inner">
        <p>CAS is supported by the <a href="http://www.apereo.org/">Apereo Foundation</a>.</p>
      </footer>
    </div>
  </body>
</html>
